Oooops, I was much too excessive in my last post.
No problem with your point of view, it is also one of mine : Points of
view are multiples, that helps finding out some non-standards ideas.
Of course the Internet is open, worldwide, dynamic, reactive. All of this is
good. I want to preserve and even increase it. What I pointed out with DNS
is its too static protocol wich leads to error prone batches aiming
to provide dynamic updates on a well known static file based protocol.
Anyway, I appreciate your opinion, and as I said, I share lot of it.
What I support in Emmanuel first post is an interesting idea :
Increasing the effort on the systems admin side could be more effective (more
security for less efforts) than increasing the effort on the hacker repression.
This *DO NOT* mean I want any kind of impunity for attackers. They are to be
punished when they commit crimes (which definition might be discussed a lot,
it's not my purpose here)
This *DO NOT* mean either I support any kind of unfair fines or other
condamnation to people providing services to the Internet when they do
their best.
It means I have the feeling many companies do not want to pay a single penny
for security while they want to give access to confidential information to
some third parties using the Internet. This is bad because it endanger not
only the company, but other people/company that would suffer from the
confidential information being widespread.
Yes Internet is changing. Yes it becomes more and more vital an infrastructure
for our countries (not only the US). Yes it needs to adapt to that new status.
No I don't like proprietary, expensive, monopolistic, static, rigid systems
such as the one you mentionned can be (in some of their aspects) : Microsoft,
IBM, AOL, DOD, ...
I do think and I *DO* HOPE this will not necessaryly occur , because the
Internet is mature and powerfull enough to cope with that kind of risk.
I think the potential cost of real exploits for networks where there are *real*
risks is huge. It is not limited to the company running the network.
Imagine an attack against a major bank or market place or insurance that would
cause the company to stop running for a few days. It is not pure fiction, that
could happen.
The way the financial market work (every company having huge counterparty
risk) would cause a big panic/crash where that would happen.
A weak security in a company network can truly endanger a whole economy.
Worldwide.
I agree with you that government fines is probably not the better solution.
Small attacks from 'soft or not so soft' hacker performing DoS teardrop
attacks is a "natural" fine for low security network owners.
I would suggest that Standards&Poors, Moody's and all rating agencies would
consider lowering the long term rating of a bank that runs a low security
policy on its network. It seems to me normal to consider the IS risk the same
way they consider their Financial risks : accept part of it knowingly. Firewalls
are less expensive than derivatives !
That would be a heavy fine (a low rating is a very high cost) for banks.
An other idea would be a kind of "internet license", the same way a driving
license allow it's owner to use a vehicle that potentially endanger the society,
a "internet license" could be required by some societies (not all countries,
not all communities, ...) in order to connect their infrastructure to the
Internet, when it potentially endanger the society. Nations are probably not
enough a community on the Internet for they could do that. Banking systems
already do that kind of check : You can not connect to some electronic market
place if your IS infrastructure is not fully fault tolerant with less than a 1
hour off line window in case of a major disaster.
But may be the system will finally comes naturally to a better level when
customers will take the companies security efforts into account to make it an
advantage on less secure concurrents.
On Thursday, March 12, 1998 10:33 AM, josh .
tolle @
rhii .
com (Tolle; Josh) wrote:
> Now, with this philosophy you're stating that *you* would take full
> responsibility for financing an national company's move onto the Internet
> and, if not, be willing to pay more because nothing less than a
> quad-processor Alpha 8400 series mainframe is necessary to hold all DNS
> information for the entire Internet and deal with the fact that it might
> not be updated (or might not be able to handle the update)?
No. May be my point was not clear enough. I hope you now understand it is not
what I wanted to say.
>
> This seems a really foolish standpoint in my mind. You are enjoying the
> freedom of the Internet and yet want to have a government make security
> rules (which are quite obviously not going to be universal, and you're
> naive if you even entertain the idea that they'll be able to come to some
> agreement with *every* country who is on the Internet) and cause us to be
> cut off from the rest of the world? Eventually, that's what it will come
No.
> to. We (US citizens) already cannot distribute, electronically,
And it is a pain.
> cryptographic code. We cannot distribute any software that is truly secure
> to a foreign country. We cannot leave the borders of the country and write
> cryptographic code. What will happen is exactly what the US government
> currently seems to want: we will again only have ARPANet as opposed to
I hope it won't. I also think they are going the wrong way
> having Internet. The government will tighten down restrictions on
> companies to the point that no one outside the US will be able to decipher
> anything (without considerable effort).
If they are not the target of the message, I would like they can not decipher.
I think the concept of a national border is nonsense. I hope Internet will
provide a new concept strong enough to cope with that old "nation border" one.
>
> Giving the government the ball seems like an idiotic plan to me. The whole
Good point.
As a French citizen, I am not used to the same kind of government power than
you do, but you are right. The government should not be the actor on it.
Nevertheless, it should do its best to enforce security on the Internet by
providing help, exemple and advice, no rules.
> reason the Internet is the Internet is because the control was taken from
> the government by the people (which is pretty much the way things happen in
> a democracy) and the people distributed it to their friends and colleagues
> everywhere (no offense, but that's my understanding of it, correct me if
> I'm wrong). If we were to hand it back to them now, when the debate is
> such an issue, you could say good-bye to everyone you even exchange e-mail
> with outside the borders of the US. The Internet as we know it would
> crumble for us (not necessarily the rest of the world) and we'd be left
> with a nationwide AOL, which is something that would give me nightmares and
> probably force me to give up my citizenship for.
I also ask for a cyberzenship more than a citizenship :)
>
> If you want to punish the people who make the Internet what it is (a
> worldwide WAN), you're going to find that it's not going to be there
> anymore. It will be run by IBM and Microsoft and the DOD, the people with
> the money to pay the fines and the people who age handing out the violations.
>
> It upsets me to think that there are people out there who put electronic
> crime into a different category than any other. Would you also have
> convenient store owners fined for getting robbed? Sounds ludicrous,
Not for getting robbed, but the fact is they get nothing from their insurance
if their door was open at night !
> doesn't it? That's what you're basically saying by saying that the
> providers of a service (the people who own the servers which comprise the
> Internet) be fined for getting broken into because some little 14-year-old
> decided that it would be neat to poke around and see whose panties they
> could peek into.
>
>
> Darren and all those on this list who are not within the confines of the US
> borders: I'm sorry to have presented such a US-based opinion, but it's my
> environment and it's all I know currently.
That's a lot, anymay !
>
>
> Thank you,
You're welcome :) !
> Josh Tolle
>
>
> At 12:17 PM 3/12/98 +0100, Paul BOYER wrote:
> >Subject: [off-topic] RE: Busting sysadmin, not crackers (was: Pentagon
> Hackers
> >Caught
> >
> >I fully agree with you, Emmanuel.
--snip-- (too long mail already)
My personal views. Not my employers.
Paul Boyer
|
|
